The field of this invention is data communications, and more particularly, relates to authentication of remote terminals, including computers, in a communications system.
Access control and authentication of remote users has been a problem of increasing importance, particularly in the field of electronic funds transfer (EFT), and other fields requiring secure data communications. The National Bureau of Standards has adopted the data encryption standard (DES) as a relatively efficient, in terms of hardware and time, method of encrypting data for transmission. However, the DES is presently believed to have an insufficient degree of security for many users, and presents problems in the area of key distribution.
There are other more secure types of systems known in the prior art, such as those known as public key systems. In general, the public key system includes a plurality of terminals coupled by a communications medium, where each terminal has an associated encryption procedure (or transformation or operator) E and different decryption procedure (or transformation or operator) D, which may be applied to a message M. These transformatins E and D are related so that E(M)=C and D(C)=M. Moreover, pairs of transformations E and D are relatively easy to generate, but D is substantially not derivable from E. As used herein, the term "substantially not derivable" means not practically feasible. In addition, the encryption transformation and the decryption transformation are inversly related so that E(D(M))=D(E(M))=M. An encryption transformation meeting these conditions is referred to as a trap-door, one-way function.
Each terminal may generate his own encryption key, decryption key pair (E,D). By way of example, a first terminal (denoted A) may be characterized by an encryption key E.sub.A and a decryption key D.sub.A, and a second terminal (denoted B) may be characterized by an encryption key E.sub.B and a decryption key D.sub.B. In a typical public key system, the encryption keys E.sub.A and E.sub.B are made publically available, while the decryption keys are kept secret by the respective terminals. Terminal A may then use terminal B's encryption key to send an encrypted message C(=E.sub.B (M)) to terminal B over an open, or non-secure, channel. Since only terminal B knows D.sub.B and D.sub.B is substantially not derivable from E.sub.B, only terminal B can determine the message content of the encrypted message by reverse transforming C, i.e. D.sub.B (C)=D.sub.B (E.sub.B (M))=M.
Moreover, if terminal A had further encoded C with its secret decryption key (i.e. D.sub.A (E.sub.B (M))=C), then terminal B can decode the message using terminal A's known encryption key (E.sub.A) and its own secret decryption key D.sub.B to obtain the message M, i.e. E.sub.A (D.sub.B (C)=M), and be assured that only terminal A could have authored the message (since only terminal A could generate a message that could be decoded with E.sub.A). For example, see Trans. Inform. Theory, IT-22, 6 (November 1976).
The integrity of public key systems is primarily dependent on the degree of confidence in the one-way trap-door function. There are two generally known approaches to the one-way trap-door function. The first, using knapsack functions, has been proposed by R. Merkle and M. Hellman. Another, referred to as the RSA Technique, is based on the difficulty of factoring large composite numbers. See Rivest, et al., "A Method for Obtaining Digital Signatures and Public Key Cryptosystems", Comm. ACM, Vol. 21, No. 2 (February 1978). While all the known approaches may be considered to be "breakable" in some sense (for example, by trial and error), at this time the RSA technique system appears somewhat more secure than other known cryptographic techniques. See Scientific American, (August 1982), p. 67B, 68.
However, while the public key systems are considered to be much more secure than the DES based systems, the known public key systems are considerably slower operating than are the DES-based systems. As suggested by the Rivest, et al. paper cited above, a public key system can be used on a short-term basis to distribute keys for a more conventional DES-type system that is used for long-term data links. However, short of using the doubly complex (and correspondingly slow) public key digital signature approach to ascertain the authenticity of a user, there are no efficient methods in the prior art to accomplish this task.
Accordingly, it is an object of the present invention to provide an improved authentication system which permits authentication of a remote user so linked terminals can be sure that users are who they say they are, and so that as a consequence, DES or other hardware- and time-efficient encryption techniques may be used with relatively high confidence level.
It is another object to provide an improved authentication system which permits confirmation that a remote terminal including a programmed computer is in fact using the program that it asserts that it is using.